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DETAILED ACTION 

1 . This action is responsive to communication: appeal brief filed 20 December 2005, with 
recognition of original filing date of 19 April 2000. 

2. Claims 25-30, 45, 54, and 55 are currently pending in this application. Claims 25, 29, 
and 54 are independent claims. 

Response to Arguments 

3. In view of the appeal brief filed on 20 October 2004, PROSECUTION IS HEREBY 
REOPENED. New grounds of rejection are set forth below. 

To avoid abandonment of the application, appellant must exercise one of the following 
two options: 

(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 
CFR 1.113 (if this Office action is final); or, 

(2) request reinstatement of the appeal. 

If reinstatement of the appeal is requested, such request must be accompanied by a 
supplemental appeal brief, but no new amendments, affidavits (37 CFR 1.130, 1.131 or 1.132) or 
other evidence are permitted. See 37 CFR 1.193(b)(2). 

Applicant's arguments, in the filed Appeal Brief on 20 December 2005 with respect to 
claims 25-30, 45, 54, and 55 have been considered but are moot in view of the new ground(s) of 
rejection. This office action is a Non-Final Rejection in order to applicant sufficient opportunity 
to respond to the new line of rejection. 
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Claim Rejections - 35 USC §103 

4. The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claims 25, 26, 27, 29, 54, and 55 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Flint et al. U.S. Patent No. 6,453,419 (hereinafter Ml 9) in further view of 
Freund U.S. Patent No. 5,987,61 1. 

As to independent claim 54, "A method for displaying access policies for a security 
service for a computer network" is taught in '419 col. 2, lines 6-51 (Note this reference shows 
how the access policy is built in an graphical user interface (GUI) system); 

"services and resources" is disclosed in '419 col. 4, lines 26-36; 
the following is not taught in '419: 

"the computer network comprising deflned users" however '611 teaches "The user is 
now ready to specify to which people and/or to which computers the new rule is to apply. As 
shown in FIG. 7F, the wizard dialog 740 (now 740d) includes a pane which allows the user to 
define a set which includes or excludes people, computers, and/or groups thereof In a manner to 
that previously described for defining activities and for specifying applications, the pane includes 
an outline list 761 from which the user can select to include or exclude items" in 'col. 26, lines 
18-30; 
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"the method comprising the steps of displaying, on a computer display unit, a grid 
having nodes, laid out on a first and on a second axis; displaying, on the grid, unit user 
labels corresponding to the user data, each user label labeling nodes aligned relative to the 
first axis of the grid, and" however '611 teaches "The client-side monitoring component 
provides a preferred user interface 600, as shown in FIG. 6A. The interface 600 serves to display 
the user's current Internet activity and/or past log. As illustrated, the interface 600 includes a 
main menu 601, a selection or tool bar 605, a Web applications panel 610, a contents panel 620, 
and a details panel 630. The tool bar 605 provides a display filtering mechanism, affecting the 
actual information displayed by the various panels. For instance, the user can employ the tool 
bar 605 for selecting what type of information to show (e.g., applications), which user the system 
should display information for (e.g., the current user or another named user), and what time 
frame is of interest to the user (e.g., "today"). Selection icons 640, positioned along one side of 
the interface 600, provide one-click access to user commands (which correspond to those 
available from the menu 601)" in col. 22, Unes 44-59 and col. 7, lines 17-29 "The present 
invention, however, is not Umited to any particular one application or any particular 
environment. Instead, those skilled in the art will find that the system and methods of the present 
invention may be advantageously applied to a variety of system and application software, 
including database management systems, word processors, spreadsheets, and the like, operating 
on a variety of different platforms, including the Macintosh.RTM. operating system, the 
UNIX.RTM. operating system, NextStep.RTM. operating system, and the like. Therefore, the 
description of the exemplary embodiments which follows is for purposes of illustration and not 
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limitation" (note: the GUI has a first and second axis this is inherent, the grid like appearance 
claimed is a common display in spreadsheet or database applications); 

^^displaying on the grid resource labels corresponding to the services and resources 
data, each resource label labeling nodes aligned relative to the second axis of the grid, 
whereby the nodes in the grid correspond to access policies for the defined users and 
defined services and resources for the computer network, corresponding to the user and 
resource labels" however '611 teaches "FIG. 6B illustrates appearance of the interface 600 
(now 600a) during operation of a Web browser (e.g., Netscape Navigator.TM. or Microsoft 
Internet Explorer.TM. browser software). The applications panel 610 (now 610a) shows the 
currently- executing applications or processes. As shown at 61 1, current Web processes for this 
example include Internet Explorer. In the currently-preferred embodiment, processes are 
illustrated in an outline (hierarchical) view, with individual processes represented by nodes of the 
outline. Upon the user selecting to expand an application node (e.g., by clicking on node 61 1), 
the system, in response, displays dependent or child nodes representing protocols employed by 
that appUcation, For the application node 61 1, for instance, the system displays child nodes 612" 
in col. 22, lines 60 through col. 23, line 23. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify a security service for a computer network taught in '419 to include a means to 
configure and administer user policy. One of ordinary skill in the art would have been motivated 
to perform such a modification to increase security see '61 1 col. 3, lines 4 et seq. "There are still 
other disadvantages to centralized filtering. The approach is difficult to configure and administer. 
The task of setting up different rights for different users, workstations, or workgroups, for 
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instance, is particularly difficult. No facilities are provided for delegating certain access and 
monitoring authority, for example, in order to allow a workgroup supervisor to manage less 
critical aspects of the Internet access for his or her group without going through a central 
authority. Also, a centralized filter cannot distinguish between "active" use of the Internet (i.e., 
when user interaction with the PC causes the Internet access) and "background" use (i.e., when 
an application accesses the Internet without user interaction). Still further, a centralized filter is 
easily circumvented, for example by a user employing a modem for establishing a dial-up 
connection to an ISP (Internet Service Provider). Similarly, the proxy-server approach is 
unattractive. Special versions or specialized configurations of client applications are required, 
thus complicating system administration. Internet setup for portable computers employed at 
remote locations is especially complicated". 

As to dependent claim 55, this claim is directed to a program storage device performing 
the method of claim 54 and is therefore rejected along similar rationale. 

As to independent claim 25, this claim is directed to a graphical user interface of the 
method of independent claim 54 and is therefore rejected along similar rationale. 

As to dependent claim 26, ^^further comprising a user definition component for 
defining a business relationship tree data structure representing a set of the defined users 
and in which the user labels displayed by the graphical user interface correspond to the 
business relationship tree data structure" is taught in '419 col. 3, Hnes 31-47. 

As to dependent claim 27, 'further comprising a resource definition component for 
defining a resource tree data structure representing a set of the defined services and 
resources and in which the resource labels displayed by the graphical user interface 
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correspond to the resource tree data structure" is shown in '419 col. 3, line 61 through col. 4, 
line 7. 

As to independent claim 29, "A graphical user interface" is disclosed in '419 col. 2, 
lines 6-51; 

"for a security service for a computer network" is taught in '419 col. 2, lines 6-13; 

"the computer network comprising defined users represented by a business 
relationship tree data structure" is shown in '419 col. 3, lines 31-47; 

"the computer network further comprising services and resources, represented by a 
resource tree data structure" is disclosed in '419 col. 6, lines 25-37 (Also note the similarities 
between FIGS. 4-8 of '419 to FIG 10 of applicant's invention. 

"the graphical user interface comprising display means for displaying a grid 
comprising nodes laid out on a first axis and on a second axis" is shown in '61 1 col. 26, lines 
18-30; 

"user labels corresponding to the users in the business relationship tree data 
structure, each user label labelling nodes aligned relative to the first axis of the grid" is 
disclosed in '61 1 col. 22, lines 44-59 and col. 7, lines 17-29; 

"and resource labels corresponding to the defined services and resources in the 
resource tree data structure, each resource label labelling nodes aligned relative to the 
second axis of the grid, the nodes in the grid corresponding to access policies for the 
defined users and defined services and resources, corresponding to the user and resource 
labels" is taught in '61 1 col. 22, line 60 through col. 23, line 23. 
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6. Claims 25, 26, 27, 29, 54, and 55 are rejected under 35 U.S.C. 102(b) as being anticipated 
by Flint et al. U.S. Patent No. 6,453,419 (hereinafter '419). 

As to dependent claim 28, the following is not taught in '419 and '61 1 "further 
comprising an access policy editor for deflning the nodes in the grid, the access policy 
editor comprising means for graphically assembling icons representing policy rules to 
deflne an access policy for a user-specified node" however '261 teaches "The administrator 
can define a security policy once and apply it to a plurality of network devices. To accomplish 
this, the administrator prepares a symbolic poUcy and saves it persistently using a unique name. 
The name of the policy and an icon representing the pohcy are displayed in a tree in a pane of a 
user interface generated by the mechanism. The physical network available to the administrator 
is displayed as a separate tree of icons that represent network objects. The administrator moves 
the mouse cursor to the previously defined policy, clicks and holds down a mouse button, and 
drags the icon representing the policy over an icon representing a network object. When the 
administrator releases the mouse button, the policy is applied to the network object. In this 
manner, policies can be dragged and applied to NT domains, users, groups, individual 
machines, or to arbitrary groups of machines residing in defined physical or logical networks" 
in col. 14, lines 36-52. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
to modify a security service for a computer network taught in '419 and '611 to include a means 
to graphically design the user interface. One of ordinary skill in the art would have been 
motivated to perform such a modification to customize the display screen and therefore increase 
user flexibility see '261 col. 4, lines 38-44 "There is also a need for a way to construct a 



Application/Control Number: 09/552,345 Page 9 

Art Unit: 2134 

representation of a network security policy in which the representation is easily correlated with 
the policy. There is a particular need for such a mechanism that does not require the 
administrator to have knowledge about low-level network protocol details and about the 
particular network protocols that are used by application programs". 

As to dependent claim 30, ^^the grid comprising inheriting nodes and defining nodes, 
the defining nodes corresponding to access policies expressly defined by a policy manager, 
the graphical user interface further comprising means for displaying inherited access 
policies for inheriting nodes in the grid by propagating access policies from the defining 
nodes in the grid across the inheriting nodes below the defining nodes in each of the 
business relationship tree data structure and the resource tree data structure" is shown in 
'261 col. 13, lines 37-50 "Thereafter, administrators can reference the network objects in the 
Networks tree 720 when developing security policies. For example, the administrator can 
prepare a security poUcy that accepts or rejects a data packet depending on whether the 
destination of the packet is the software engineering group 726, the marketing group 728, or one 
of the hosts 730 within a group. Accordingly, the security policies are kept simple because, 
rather than incorporating the network-specific information, the security poHcies inherit 
knowledge about the network from the Networks tree 720. Further, a security policy may be 
attached to a group of objects rather than only to a single object". 

As to dependent claim 45, this claim is directed to a program storage device performing 
the method of claims 25, 26, and 30; therefore it is rejected along similar rationale. 

Conclusion 
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7. 



Any inquiry concerning this communication or earlier communications from the 



examiner should be directed to Ellen C Tran whose telephone number is 

(571) 272-3842. The examiner can normally be reached from 6:00 am to 2:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (571) 272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 

Application Information Retrieval (PAIR) system. Status information for pubUshed applications 

may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 

applications is available through Private PAIR only. For more information about the PAIR 

system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 

system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

Ellen. Tran 
Patent Examiner 
Technology Center 2134 
23 February 2006 




